MDM: From Nice to Have to Necessity

Transcript

1. © JAMF Software, LLC MDM: From ‘Nice to Have’ to

   Necessity 2:45 - 3:30 PM UP NEXT

2. Rich Trouton • 20 years of Mac system support experience

   • Generally can be found drinking a Diet Coke • Has been known to write things down • @rtrouton on Twitter and Slack

3. MDM: From "Nice to Have" To Necessity

4. What is MDM?

5. • API for sending device management commands • For iOS,

   usable on iOS 4.x and later. • For macOS, usable on 10.7.x and later. • For tvOS, usable on tvOS 10.x and later. • Not all MDM commands are backwards-compatible

6. Why use it?

7. Which things are only possible when using MDM? • DEP-enabled

   setup • Remote wipe • App distribution using VPP • UAMDM-based management

8. How does MDM management work? • Apple's push notification services

   (APNS) • Mobile device management (MDM) server
9. None

10.  http://init-p01st.push.apple.com/bag

11. None

12.  APNS

13.  APNS

14. None

15.  APNS

16.  APNS

17.  APNS

18. 1

19. https://support.apple.com/HT203609

20. None

21. • APNS never needs an inbound network connection on your

    network. • Only outbound connections from your network to Apple’s network (17.0.0.0 / 8) are needed for APNS. • APNS never makes unsolicited connections. • APNS uses TLS 1.2 • APNS authenticates all transactions with device tokens and payload tokens, and validates all SSL certificates.

22. https://twocanoes.com/products/mac/push-diagnostics/

23. https://twocanoes.com/products/mac/push-diagnostics/

24. https://www.youtube.com/watch?v=Z-Lg9uBbmfk A Push Odyssey: Journey to the Center of APNS:

25. What’s an MDM server? 1. HTTPS server 2. Needs to

    be able to respond with both of the following: • HTTP 200 OK • A plist in XML format which contains a command.

26. Perpetual plist passing

27. Perpetual plist passing

28. MDM Server Certificates • APNS Vendor Certificate • APNS Push

    Certificate

29. MDM Server Certificates • APNS Vendor Certificate • Used to

    sign APNS push certificate’s certificate requests (CSRs)
30. None
31. None
32. None
33. None

34. MDM Server Certificates • APNS Push Certificate • Used by

    MDM server to communicate with APNS

35. https://identity.apple.com

36. https://identity.apple.com

37. APNS Apple ID Do’s and Don’ts Do: •Have an Apple

    ID dedicated just to creating your APNS certificate. •Have multiple Apple IDs for your APNS certificates if you have more than one MDM server . •Have the Apple ID(s) documented.

38. APNS Apple ID Do’s and Don’ts Don’t: •Use a personal

    Apple ID. •Use an Apple ID tied to your specific work email address. •Lose the password to your Apple ID(s).
39. None
40. None
41. None
42. None
43. None

44. APNS push certificate

45. APNS push certificate topic

46. None
47. None
48. None
49. None
50. None

51.  APNS MDM

52.  APNS MDM

53. None

54.  APNS MDM

55.  APNS

56.  APNS MDM

57. APNS device token

58.  APNS

59. 1

60. None

61. MDM

62. MDM

63. MDM

64.  APNS Topic Topic

65.  APNS Topic + Device ID =

66.  APNS

67. MDM

68. PushMagic

69. MDM  APNS

70. MDM  APNS

71. MDM  APNS

72. MDM  APNS

73. MDM  APNS

74. = "Hey you! Check in with your MDM server!”

75. +Topic + = +

76. None
77. None
78. None
79. None

80. OS X Mavericks Kernel extensions should be digitally signed using

    an Apple Developer ID for Signing Kexts certificate, but this code signing requirement is not enforced strictly. Unsigned kernel extensions can still be installed into /System/Library/ Extensions, which is where kernel extensions have been installed up until OS X Mavericks. However, signed kernel extensions must be installed into /Library/Extensions. OS X Yosemite Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. However, it is still possible on OS X Yosemite to enable a kernel extension developer mode which disables the code signing requirement.

81. OS X El Capitan Kernel extensions must be digitally signed

    using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection, introduced as part of OS X El Capitan, now enforces code signing and explicitly disables the kernel extension developer mode previously available in OS X Yosemite. macOS Sierra Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.

82. https://support.apple.com/HT207828

83. None
84. None
85. None
86. None

87. MDM macOS 10.13.0 - 10.13.3

88. macOS High Sierra 10.13.0 - 10.13.3 + MDM Kernel extensions

    must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.
89. None

90. UAMDM macOS 10.13.4 - Now

91. None
92. None
93. None
94. None
95. None
96. None
97. None
98. None
99. None

100. Device Enrollment Program (DEP)

101. None
102. None
103. None

104. = UAMDM automatically enabled

105. Volume Purchase Program (VPP)

106. None
107. None
108. None
109. None
110. None
111. None
112. None
113. None
114. None
115. None
116. None
117. None
118. None
119. None
120. None

121. Managed Clients for Mac OS X

122. None
123. None

124. Managed Clients for Mac OS X Managed User Control None,

     Never Unmanaged or never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting

125. Mobile Device Management Managed User Control None, Never Unmanaged or

     never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting
126. None
127. None

128. MDM ≠ Total Management MCX ≠ Total Management

129. MDM ≠ Total Management Profile Can Do: Profile Cannot Do:

     SSH Nothing Turn SSH on and off Manage SSH configuration Sudo Nothing Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Application Access Whitelist application by code signature Blacklist application by code signature Directory Service Bind to Active Directory Bind to LDAP* *Can bind to Apple's Open Directory

130. AppleScript Ruby JavaScript Perl Shell Python

131. Script Can Do: SSH Turn SSH on and off Manage

     SSH configuration Sudo Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Directory Service Bind to Active Directory Bind to LDAP

132. https://github.com/google/santa

133. ?

134. https://developer.apple.com/documentation/ devicemanagement/profile-specific_payload_keys

135. https://derflounder.wordpress.com/2015/07/31/ gatekeeper-automatically-re-enables-after-30-days- on-yosemite-and-later/

136. defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false

137. None

138. https://openradar.appspot.com/22094327

139. Always Manage Manage Once

140. Re-test for each OS

141. None
142. None
143. None

144. vs 1. See if you can use a profile. 2.

     If not, use a script. 3. Check back later to see if you can use a profile.

145. Apple Mobile Device Management: https:// developer.apple.com/documentation/devicemanagement Apple Device Management documentation:

     https:// developer.apple.com/documentation/devicemanagement A Push Odyssey - Journey to the Center of APNS: https:// www.youtube.com/watch?v=Z-Lg9uBbmfk Getting MicroMDM working and working with MicroMDM: https://youtube.com/watch?v=WGKT-PyHz6I Useful Links Demystifying MDM: open source endeavours to manage Macs: https://youtube.com/watch?v=6DBGIDcBKFw

146. Apple Mobile Device Management Profile-Specific Payload Keys: https://developer.apple.com/documentation/ devicemanagement/profile-specific_payload_keys Santa:

     https://github.com/google/santa Gatekeeper automatically re-enables after 30 days on Yosemite and later: https://derflounder.wordpress.com/ 2015/07/31/gatekeeper-automatically-re-enables-after-30- days-on-yosemite-and-later/ Useful Links

147. Downloads PDF available from the following link: https://tinyurl.com/JNUC2019PDF Keynote slides

     available from the following link: https://tinyurl.com/JNUC2019Keynote

148. © JAMF Software, LLC Thank you for Give us feedback

     by completing the 2- question session UP NEXT Offboarding in a Modern Workflow 4:00 PM